×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
@afilina Surviving Your Next Data Breach PHPUGFFM, Frankfurt - June 01, 2017
Slide 2
Slide 2 text
You will get hacked
Slide 3
Slide 3 text
It Happens • Dropbox • Adobe • LinkedIn • Yahoo! 68 million 152 million 164 million 1.2 billion
Slide 4
Slide 4 text
Anna Filina • Project rescue expert • Dev, trainer, speaker
Slide 5
Slide 5 text
Way to Get Breached • Hackers • Employees • $5 consultants
Slide 6
Slide 6 text
$5 consultants?!
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Don't use server passwords Use SSH keys
Slide 9
Slide 9 text
Zero-out development data
Slide 10
Slide 10 text
Background security checks
Slide 11
Slide 11 text
Sensitive Data • Passwords • Credit cards • Social security numbers • Current locations • IP addresses • ...
Slide 12
Slide 12 text
Getting Ready for the Breach • Store less • Make stolen data useless • Post-breach procedures
Slide 13
Slide 13 text
Store less sensitive data
Slide 14
Slide 14 text
$5,000 - $100,000 per month
Slide 15
Slide 15 text
But... recurring billing!
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
Vault Credit card Token Amount + token App Payment gateway User
Slide 18
Slide 18 text
**** **** **** 0123
Slide 19
Slide 19 text
Sessions!
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
Vault Credit card Token Amount + token App Payment gateway User
Slide 22
Slide 22 text
**** **** **** 0123 Edit
Slide 23
Slide 23 text
Implementation Effort? • ~5 hours • Includes reading documentation
Slide 24
Slide 24 text
Alternative Storage • Comments
Slide 25
Slide 25 text
Please charge half on 4111 1111 1111 1111 (06/17) and the other half on 4012 8888 8888 1881 (10/19)
Slide 26
Slide 26 text
Passwords • No plaintext. • No hash.
Slide 27
Slide 27 text
Rainbow tables!
Slide 28
Slide 28 text
How do They Work? • Create string permutations • Compute hashes • Steal password hashes • Look up in table
Slide 29
Slide 29 text
Collisions • They are rare • Pick the shortest and more obvious • Can just try all matches on a site
Slide 30
Slide 30 text
Rainbow tables can be downloaded
Slide 31
Slide 31 text
What Then? • Salted hash • Repeated hashing
Slide 32
Slide 32 text
Repeated Hashing +salt + hashing Hash Password Hash +salt + hashing x20,000
Slide 33
Slide 33 text
bcrypt
Slide 34
Slide 34 text
Password Policy • Don't limit number and type of characters • Harder to generate rainbow tables • Also prevents brute force
Slide 35
Slide 35 text
Security Questions • Known by a wide group of people • You're storing more private data • Security questions on other sites
Slide 36
Slide 36 text
Response plan
Slide 37
Slide 37 text
Example Procedure • Log out. • Mark as compromised (is_dirty=1). • Force 2nd factor auth. • Force password change. • Mark as not compromised.
Slide 38
Slide 38 text
2FA • 1-time code (e-mail, SMS) • Time-synchronized 1-time password
Slide 39
Slide 39 text
Next Steps • What else do you not need? • E-mails?
Slide 40
Slide 40 text
Let's protect private data
Slide 41
Slide 41 text
@afilina afilina.com